RE: IDS event filtering

From: Ofer Shezaf (Ofer.Shezaf_at_breach.com)
Date: 01/04/05

  • Next message: Chris Brown: "Re: Intrushield vs. ISS once more..." 
    Date: Tue, 4 Jan 2005 05:40:44 -0500
To: <focus-ids@lists.securityfocus.com>

    To add my two cents:

    Filtering is not only about yes and no, but also about severity.

    My experience shows that management report should include also a summary
    of unsuccessful attacks as they are used for policy creation and
    budgeting. In other words, I would like to show my boss that the world
    is dangerous, and that it attacks our systems.

    On the other hand in real time monitoring that produced actionable items
    I would not want to see events that do not pose immediate threat.

    The trick in many IDS/SIM systems is to set different severity levels:
    information only for non immediate events and high severity to events
    that pose immediate threat.

    Ofer Shezaf
    CTO, Breach Security
    Tel: +972.9.956.0036 ext.212
    Cell: +972.54.443.1119
    ofers@breach.com
    http://www.breach.com

    > -----Original Message-----
    > From: Billy Dodson [mailto:CraftedPacket@securitynerds.org]
    > Sent: Friday, December 31, 2004 5:37 PM
    > To: focus-ids@lists.securityfocus.com
    > Subject: IDS event filtering
    >
    > I am wanting to get an idea of what you guys out there filter from
    your
    > IDS sensors. Some of the sensors I monitor get TONS of events for
    MSSQL
    > control overflows. If the customer is patched for slammer and does
    not
    > have any SQL services on the internet, is it safe to filter out those
    > events? Do you still want to see that traffic even though you know
    your
    > are not vulnerable? Thanks!
    >
    >
    ------------------------------------------------------------------------ 

    --
> Test Your IDS
> 
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from
> CORE IMPACT.
> Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
> to learn more.
>
------------------------------------------------------------------------
--
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
  • Next message: Chris Brown: "Re: Intrushield vs. ISS once more..."

    Relevant Pages

    • RE: IDS event filtering
      ... The trick with IDS and SIM is to find an approach, ... Filtering is not only about yes and no, ... My experience shows that management report should include also a summary ... > Find out quickly and easily by testing it with real-world attacks from ...
      (Focus-IDS)
    • Re: RFD: uk.radio.amateur.moderated
      ... subject to filtering by my killfile. ... I think you''ll find some of the most prolific and inane posters morph into multiple new IDs on a daily basis. ...
      (uk.net.news.config)
    • Re: Updating null values
      ... work I mean its not filtering the null values when I bring the IDs table for ... Stefan Hoffmann wrote: ... ID field and I have made another table for IDs which has 2864 unique values ... update query, add both tables, add the relation between them. ...
      (microsoft.public.access.queries)
    • Dynamic Filtering
      ... I have been playing with dynamic filtering in merge replication and I ... the list of ids that the UDF returns changes, it makes no difference when I ... subscriber and synchronize again. ...
      (microsoft.public.sqlserver.replication)
    • Re: Logger solution Required
      ... in a GUI format...Trying to provide to functionality like sorting ... using the severity, timestamps and filtering with severity. ...
      (comp.lang.java.programmer)